How does one go about implementing MAC-based Ethernet VLANs on relatively modern Cisco switches? We'd like to implement MAC-based Ethernet VLANs using Cisco 2900-series switches running IOS 12.1. Our goal is to register the Ethernet MAC addresses of authorized systems to a VLAN with unrestricted network connectivity, while unauthorized (and unregistered) devices are left in the default VLAN, which acts as a quarantine. We've searched through Cisco's online documentation and through this group's archives, but all we've found are references to something called VMPS. We are aware of other network admission control/quarantine systems (e.g., 802.1x, DHCP-based quarantines), but we don't currently have the financial or technical capital to implement them. We are also aware of some of the problems with such a configuration (especially with respect to broadcast traffic), but in our case, it isn't feasible to define this VLAN by physical switch port (some of which are downlinks to unmanaged bridges and hubs).
By way of comparison, I implemented this on an old Nortel Passport
1051 switch with commands similar to the following:config vlan 10 bysrcmac 1 config vlan 10 srcmac add 00:11:22:33:44:55
where "10" is the VLAN ID and "1" is the spanning tree group ID. The second command shows how one would add a device to the "whitelist" VLAN. The router is connected to switch port 3/1, which has tagging enabled and is a member of both the default VLAN and of this new VLAN, which I configured using commands similar to the following:
config ethernet 3/1 perform-tagging enable config vlan 10 port add 3/1 member static
The router is VLAN-aware and provides limited Internet access for devices in the default (now quarantine) VLAN. All other switch ports are untagged, so that any Ethernet packets inbound on those ports will get tagged as VLAN 10 upon ingress, if the source MAC address matches the list programmed into the VLAN definition. DHCP works properly within this VLAN as well, though I've heard that this can be problematic in MAC-based VLANs.
Any help (even pointers to the relevant documentation) would be greatly appreciated.
Best wishes, Matthew